Free Malware Removal Forum

Welcome to MalwareRemoval.com,What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

My computer is experiencing massive malware. The symptoms are constant popups and programs automatically starting that I did not install. They eat up my computer memory and make it so that it is barely usable. I ran FRST and generated the FRST.txt and Addition.txt files. The FRST.txt is too large to post in the message box. Per the instructions of the website I have attached the FRST.txt file. If there is a preferred method other than this to communicate the file, please advise. Here is the Addition.txt file:

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the "Infected? Virus, malware, adware, ransomware, oh my!" forum and wait for help.

Unless informed of in advance, failure to post replies within 3 days will result in this thread being closed.

Hi Max

I'm Gary R,

Before we start: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

As an added safety precaution, before we start removing anything, I'd like you to make a backup of your Registry, which we can restore to if necessary.

Please click on THIS link, and follow the instructions for installing TCRB and creating a backup of your Registry.

Please observe these rules while we work:

Do not edit your logs in any way whatsoever.

Perform all actions in the order given.

If you don't know, stop and ask! Don't keep going on.

Please reply to this thread. Do not start a new topic.

Stick with it till you're given the all clear.

Remember, absence of symptoms does not mean the infection is all gone.

Don't attempt to install any new software (other than those I ask you to) until we've got your computer clean.

Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process. If your defensive programmes warn you about any of those tools, be assured that they are not infected, and are safe to use.

If you can do these things, everything should go smoothly.

As you're using Windows 8.1, it will be necessary to right click all tools we use and select ----> Run as Administrator

It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

When finished searching a log will open on your Desktop ... Search.txt

Please post it in your next reply.

Summary of the logs I need from you in your next post:

ADWCleaner log

New FRST.txt

New Addition.txt

Search.txt

Please post each log separately to prevent it being cut off by the forum post size limiter. Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections.

System errors:=============Error: (05/14/2015 07:47:37 PM) (Source: Service Control Manager) (EventID: 7000) (User: )Description: The Search Module Plus Update service failed to start due to the following error: %%2

Error: (05/14/2015 07:47:36 PM) (Source: Service Control Manager) (EventID: 7000) (User: )Description: The Quick Ref 1.10.0.12 Client Service service failed to start due to the following error: %%2

Error: (05/14/2015 07:47:34 PM) (Source: Service Control Manager) (EventID: 7000) (User: )Description: The Infonaut 1.10.0.14 Client Service service failed to start due to the following error: %%2

Error: (05/14/2015 07:47:34 PM) (Source: Service Control Manager) (EventID: 7000) (User: )Description: The Adobe Licensing Console service failed to start due to the following error: %%1053

Error: (05/14/2015 07:47:34 PM) (Source: Service Control Manager) (EventID: 7009) (User: )Description: A timeout was reached (30000 milliseconds) while waiting for the Adobe Licensing Console service to connect.

Error: (05/14/2015 07:44:20 PM) (Source: Service Control Manager) (EventID: 7032) (User: )Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Search service, but this action failed with the following error: %%1056

Error: (05/14/2015 07:43:50 PM) (Source: Service Control Manager) (EventID: 7031) (User: )Description: The Print Spooler service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.

Error: (05/14/2015 07:43:50 PM) (Source: Service Control Manager) (EventID: 7031) (User: )Description: The Windows Search service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (05/14/2015 07:43:49 PM) (Source: Service Control Manager) (EventID: 7031) (User: )Description: The Windows Modules Installer service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.

Error: (05/14/2015 07:43:28 PM) (Source: Service Control Manager) (EventID: 7032) (User: )Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Gambali service, but this action failed with the following error: %%1058

If you have any problems uninstalling them, then just leave them and proceed with the instructions below. Your copy of Google Chrome has been corrupted, which is why it is included in the list. Once your computer is clean you can install a new clean copy, but in the meanwhile you'll need to use another browser.

Next ...

Click Start

Type notepad.exe in the search programs and files box and click Enter.

A blank Notepad page should open.

Copy/Paste the contents of the code box below into Notepad (don't include Code: Select all).

Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

Select the option YES, I accept the Terms of Use then click on:

When prompted allow the Add-On/Active X to install.

Make sure that the option Remove found threats is NOT checked.

Now click on Advanced Settings and select the following:

Scan for potentially unwanted applications

Scan for potentially unsafe applications

Enable Anti-Stealth Technology

Now click on:

The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

When completed click on Start to start the scan.

Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

When completed you will be presented with a list of found threats ....

Click on the List of found threats link

Click on Export to text file

Save as ESET.txt to your Desktop

Exit out of ESET Online Scanner.

Post me the contents of ESET.txt please.

Summary of the logs I need from you in your next post:

Fixlog.txt

E-Set log

Please post each log separately to prevent it being cut off by the forum post size limiter. Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections.

"C:\Program Files (x86)\SearchProtect\Main\bin\CltMngSvc.exe" => Could not move."C:\Program Files (x86)\SearchProtect\SearchProtect\bin\cltmng.exe" => Could not move.C:\ProgramData\DQZCqeZhJD => Moved successfully."C:\Program Files (x86)\SearchProtect" => Could not move."C:\Users\Max\AppData\Local\SearchProtect" => Could not move.

OK, let's take care of the stuff that e-set found. A lot of stuff in the log is already safe, since we've quarantined it, so we'll leave that alone for the moment, we'll remove it later. This is the stuff that still needs dealing with.

Click Start

Type notepad.exe in the search programs and files box and click Enter.

A blank Notepad page should open.

Copy/Paste the contents of the code box below into Notepad (don't include Code: Select all).

Could not move "C:\Users\Max\AppData\Local\Microsoft\Windows\INetCache\IE\F9AFFZ6K" directory. => Scheduled to move on reboot.

C:\Users\Max\AppData\Local\Microsoft\Windows\INetCache\IE\K4O0T7E9 => Moved successfully.C:\Users\Max\AppData\Local\Microsoft\Windows\INetCache\IE\OMP2X8E9 => Moved successfully.C:\Users\Max\AppData\Local\Mozilla\Firefox\Profiles\174u8fal.default\cache2\entries\3389952AAE22DA2ED67443DF8D4C99E6AFA71E4B => Moved successfully.C:\Users\Max\AppData\Local\Mozilla\Firefox\Profiles\174u8fal.default\cache2\entries\C25179E407B636BD1E8670AA50916F244E050F71 => Moved successfully.C:\Users\Max\AppData\Local\SmartWeb => Moved successfully.C:\Users\Max\AppData\Local\Temp\bes7A25.exe => Moved successfully.C:\Users\Max\AppData\Local\Temp\ICReinstall_nss6A1F.tmp => Moved successfully.C:\Users\Max\AppData\Local\Temp\nsi3E52.tmp => Moved successfully.C:\Users\Max\AppData\Local\Temp\nss6A1F.tmp => Moved successfully.C:\Users\Max\AppData\Local\Temp\nss7D93.tmp => Moved successfully.C:\Users\Max\AppData\Local\Temp\f9626892-7a78-3199-abd2-97bbce96297b => Moved successfully.C:\Users\Max\AppData\Local\Temp\is45637729\1308283_stp\icc.dll => Moved successfully.C:\Users\Max\AppData\Local\Temp\nskAA97.tmp => Moved successfully.C:\Users\Max\AppData\Roaming\P5FrFNBceXRT1W20d5av.exe => Moved successfully.C:\Users\Max\AppData\Roaming\00000000-1430191812-0000-0000-6C626DB6DAC3 => Moved successfully."C:\Users\Max\AppData\Roaming\Mozilla\Firefox\Profiles\174u8fal.default\extensions\AVJYFVOD75109374@HCDE39471360.comapplication" => File/Directory not found.C:\Users\Max\AppData\Roaming\Mozilla\Firefox\Profiles\174u8fal.default\extensions\TTSD90021300@PYDKGV101145942.com => Moved successfully.C:\Users\Max\AppData\Roaming\Mozilla\Firefox\Profiles\174u8fal.default\extensions\veggy@veggyAddon.com => Moved successfully.C:\Users\Max\AppData\Roaming\Mozilla\Firefox\Profiles\174u8fal.default\extensions\{746505DC-0E21-4667-97F8-72EA6BCF5EEF} => Moved successfully.C:\Users\Max\Downloads\iain.banks.the.wasp.factory_10924_i53165781_il345.exe => Moved successfully.Could not move "C:\Windows\apppatch\apppatch64\VCLdr64.dll" => Scheduled to move on reboot.Could not move "C:\Windows\apppatch\nbin\VC32Loader.dll" => Scheduled to move on reboot.C:\Windows\SysFilesController\SysFiles_backup.exe => Moved successfully.C:\Windows\SysHealthController\SysFiles_backup.exe => Moved successfully.C:\Windows\Temp\1863f8ql.exe => Moved successfully.

"C:\Program Files (x86)\SearchProtect" => Could not move.C:\Program Files (x86)\Coupoon => Is moved successfully.C:\Program Files (x86)\PathMaxx => Is moved successfully.C:\Program Files (x86)\RapidMediaConverter => Is moved successfully."C:\Program Files (x86)\SearchProtect" => Could not move.C:\Users\Max\AppData\Local\Microsoft\Windows\INetCache\IE\CJEXS4BH => Moved successfully.C:\Users\Max\AppData\Local\Microsoft\Windows\INetCache\IE\F9AFFZ6K => Is moved successfully."C:\Windows\apppatch\apppatch64\VCLdr64.dll" => Could not move."C:\Windows\apppatch\nbin\VC32Loader.dll" => Could not move.

I followed the above instructions and executed the script, but an avenger.txt file was not generated. Unfortunately my computer still shows signs of malware, with pop-ups and ads. They say the are powered by CinemaPlus if that helps at all. There are also still unwanted desktop icons, such as Crossbrowse, some sort of internet browser that has replaced Firefox, PepperZip, Skype, which I did not download to this PC, Optimizer Pro, GUPlayer. Please advise on action to take.

Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

Select the option YES, I accept the Terms of Use then click on:

When prompted allow the Add-On/Active X to install.

Make sure that the option Remove found threats is NOT checked.

Now click on Advanced Settings and select the following:

Scan for potentially unwanted applications

Scan for potentially unsafe applications

Enable Anti-Stealth Technology

Now click on:

The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

When completed click on Start to start the scan.

Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

When completed you will be presented with a list of found threats ....

Click on the List of found threats link

Click on Export to text file

Save as ESET.txt to your Desktop

Exit out of ESET Online Scanner.

Post me the contents of ESET.txt please.

Summary of the logs I need from you in your next post:

ADWCleaner log

JRT.txt

E-Set.txt

Please post each log separately to prevent it being cut off by the forum post size limiter. Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections.

Successfully deleted: [Folder] C:\Users\Max\AppData\Roaming\mozilla\firefox\profiles\174u8fal.default\extensions\stagedSuccessfully deleted the following from C:\Users\Max\AppData\Roaming\mozilla\firefox\profiles\174u8fal.default\prefs.js

Who is online

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.